Get Started. It's Free
or sign up with your email address

1. Operations Security

1.1. Understand security operations concepts

1.1.1. Need-to-know/least privilege

1.1.2. Separation of duties and responsibilities

1.1.3. Monitor special privileges

1.1.4. Job rotation

1.1.5. Marking, handling, storing and destroying of sensitive information

1.1.6. Record retention

1.2. Employ resource protection

1.2.1. Media management

1.2.2. Asset management

1.3. Implement and support patch and vulnerability management

1.4. Implement preventative measures against attacks

1.5. Understand change and configuration management

1.6. Understand system resilience and fault tolerance requirements

1.7. Manage incident response

1.7.1. Detection

1.7.2. Response

1.7.3. Reporting

1.7.4. Recovery

1.7.5. Remediation and review

2. Cryptography

2.1. Understand the application and use of cryptography

2.1.1. Data at rest (e.g., Hard Drive)

2.1.2. Data in transit (e.g., On the wire)

2.2. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)

2.3. Understand encryption concepts

2.3.1. Foundational concepts Plaintext Ciphertext Encrypting Hashing Substitution Ciphers Monoalphabetic Polyalphabetic Transposition Ciphers Stream Cipher Block Cipher Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher FeedBack (CFB) Output FeedBack (OFB) Counter (CTR) Initialization Vector (IV)

2.3.2. Symmetric cryptography Data Encryption Standard (DES) Triple DES Advanced Encryption Standard (AES) Rivest Cipher, Ron's Code (RC) Blowfish Twofish CAST5 IDEA

2.3.3. Asymmetric cryptography Rivest, Shamir & Aldeman (RSA) Diffie-Hellman (DH) El Gamal Merkle-Hellman (Trapdoor) Knapsack

2.3.4. Hybrid cryptography

2.3.5. Message digests

2.3.6. Hashing MD (MD2, MD4, MD5) SHA (0, 1, 2) Hashed Message Authentication Code (HMAC)

2.4. Understand key management processes

2.4.1. Creation/distribution

2.4.2. Storage/destruction

2.4.3. Recovery

2.4.4. Key escrow

2.5. Understand digital signatures

2.5.1. Digital Signature Standard (DSS) SHA-1 Hash Digital Signature Algorithm (DSA) Encryption

2.6. Understand non-repudiation

2.7. Understand methods of cryptanalytic attacks

2.7.1. Chosen plain-text

2.7.2. Social engineering for key discovery

2.7.3. Brute Force (e.g., rainbow tables, specialized/scalable architecture) Work Factor

2.7.4. Cipher-text only

2.7.5. Known plaintext

2.7.6. Frequency analysis

2.7.7. Chosen cipher-text

2.7.8. Implementation attacks Side Channel Fault Analysis Probing Attacks

2.8. Use cryptography to maintain network security

2.9. Use cryptography to maintain application security

2.10. Understand Public Key Infrastructure (PKI)

2.10.1. Certificate Revocation List (CRL)

2.10.2. Online Certificate Status Protocol (OCSP)

2.11. Understand certificate related issues

2.12. Understand information hiding alternatives (e.g., steganography, watermarking)

3. Access Control

3.1. Control access by applying the following concepts/methodologies/techniques

3.1.1. Policies

3.1.2. Types of controls (preventive, detective, corrective) Before Event Directive Preventive Deterrent During Event Detective After Event Compensating Recovery Corrective

3.1.3. Techniques (non-discretionary, discretionary and mandatory)

3.1.4. Identification and Authentication Factors Type 1: Know Type 2: Have Type 3: Are False Rejection Rate (FRR) False Acceptance Rate (FAR) Crossover Error Rate (CER) Systems Single Sign On (SSO) Directory Services Centralized access control Remote Access Service (RAS)

3.1.5. Decentralized/distributed access control techniques

3.1.6. Authorization mechanisms Authorization Privileges Access Rights Discretionary Access Control (DAC) Access Control List (ACL) Mandatory Access Control (MAC) Security Labels Role-based Access Control (RBAC) Rule-based Access Control

3.1.7. Logging and monitoring Clipping Level Intrusion Detection (IDS) Signature Based Anomaly Based Intrusion Protection (IPS) NIPS/HIPS

3.2. Understand access control attacks

3.2.1. Threat modeling

3.2.2. Asset valuation

3.2.3. Vulnerability analysis

3.2.4. Access aggregation

3.3. Assess effectiveness of access controls

3.3.1. User entitlement

3.3.2. Access review & audit

3.4. Identity and access provisioning lifecycle (provisioning, review, revocation)

4. Security Architecture & Design

4.1. Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)

4.1.1. Multilevel Models Lattice-based Matrix-based Noninterference

4.1.2. Security Models Bell-LaPadula (BLP) Write Up Read Down Confidentiality Focus Biba Integrity Model Write Down Read Up Integrity Focus Lipner Model Mix of BLP & Biba Clark-Wilson Integrity Model Information Integrity Focus Brewer and Nash (Chinese Wall) Model Separation to avoid conflict of interests in company Graham-Denning Assigning Rights Focus Subject & Object Creation Harrison-Ruzzon-Ullman Integrity of Access Rights Extension of Graham-Denning

4.1.3. Architecture Frameworks Zachman Framework Enterprise Architecture Focus Sherwood Applied Business Security Architecture (SABSA) Enterprise Security Architecture Focus The Open Group Architecture Framework (TOGAF) Iterative approach relying heavily on modularization, standardization & proven tech. Information Technology Infrastructure Library (ITIL) Aligns IT to Business Needs

4.2. Understand the components of information systems security evaluation models

4.2.1. Product evaluation models (common criteria)

4.2.2. State Machine Model

4.2.3. Flow Model

4.3. Understand security capabilities of information systems (memory protection, virtualization, trusted platform module)

4.3.1. CPU Processor Function (CPU) Fetch Decode Execute Store Multitasking Time windows to split up tasks Protected Mode (Ring 3) User Mode Privileged Mode (Ring 0) Kernel Mode Multiprocessing Many CPUs in a System Multithreading Applications usage of CPU times

4.3.2. Memory Primary CPU Registers L1 & L2 Cache Main Memory Secondary Disk Drives Optical Media USB Drives Tape Drives External NAS/SAN Virtual Memory Uses Secondary to emulate Primary Firmware Embedded hardware ROM (BIOS)

4.3.3. Storage Storage Area Network (SAN) Fibre Channel iSCSI (IP Based) Block Level Network Attached Storage (NAS) File Level Access Multi protocol support Redundant Array of Independent Disk (RAID) RAID 0 RAID 1 RAID 4 RAID 5 RAID 6 RAID 0+1 RAID 10 Striping = Performances Mirroring = Fault Tolerance

4.3.4. Virtualization Gateway between OS & Hardware Cost effeciency Operational efficiencies Resource efficiencies

4.3.5. Cloud Computing Platform as a Service (PaaS) Software as a Service (SaaS) Infrastructure as a Service (IaaS) Deployment Models Private Public Community Hybrid

4.3.6. Trusted Computing Base (TCB) Process Activation Domain switching (Changing security Levels) Memory Protection I/O Operations

4.3.7. Reference Monitor Manages access controls between subject & object

4.3.8. Certification & Accreditation Trusted Computer System Evaluation Criteria (TCSEC)(Orange Book) Classes (A,B.C.D) Criteria (A1, B3, B2, B1, C2, C1, D Information Technology Security Evaluation Criteria (ITSEC) Assurance Functionality Common Criteria (ISO/IEC 15408) Protection Profile (PP) Target of Evaluation (TOE) Security Target (ST) Evaluation Assurance Levels (EAL)

4.3.9. Database Security Hierarchiacal DataBase Management System (DBMS) Parent <> Child Hierarchy/Relationship Single Tree Single Table Network DBMS Stored as related objects Many to many relationships Relational DBMS Structured in tables for relationships Most Common (Oracle, Sybase, MySQL, MSSQL) Terminology Structured Query Language (SQL) Open Database Connectivity (ODBC) Extensible Markup Language (XML) Object Linking and Embedding (OLE) Active X Data Object (ADO) Polyinstantiation Normalization Views Data warehouse DB <> Warehouse collection Data mining User <> Warehouse formatting

4.4. Understand the vulnerabilities of security architectures

4.4.1. System Emanations TEMPEST State Attacks Time Of Check, Time Of Use (TOCTOU) Vulnerabilities of transitions between states Covert Channels Maintenance communications

4.4.2. Technology and process integration (single point of failure, service oriented architecture)

5. Software Development Security

5.1. Understand and apply security in the software development life cycle

5.1.1. Development Life Cycle Waterfall Structured Clean room Spiral Iterative Rapid Application Development (RAD) Joint Applications Development (JAD) Dynamic Systems Development Model (DSDM) Agile eXtreme Programming (XP) Scrum Open Source Computer Aided Software Engineering (CASE) End-user Developlemnt Tools & Dev belong to anyone Object-Oriented Code & Data reusable

5.1.2. Maturity models

5.1.3. Operation and maintenance

5.1.4. Change management

5.2. Understand the environment and security controls

5.2.1. Security of the software environment Systems Distributed Computing Environment (DCE) OnLine Transaction Processing (OLTP) Common Object Request Broker Architecture (CORBA) Knowledge Management Expert Systems

5.2.2. Security issues of programming languages Compiled BASIC COBOL Java C C# C++ Ada Visual Basic Interpreted Perl Python JavaScript

5.2.3. Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor) Software Testing Methods White box Black box Gray box Input Validation SQL Injection Buffer under/over runs Trapdoor/Backdoor Misconfigurations Covert Channels Object Reuse Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Viruses File Infectors Boot Sector E-Mail Macro Polymorphic Multipartite Malware Worms Trojan horse Spyware Logic Bomb Rootkit Salami attack Data diddling

5.2.4. Configuration management

5.3. Assess the effectiveness of software security

5.3.1. Certification and accreditation (i.e., system authorization) Building Security In Maturity Model (BSIMM) Software Security Framework (SSF) Software Engineering Institute (SEI) Capability Maturity Model (CMM) 1. Initial 2. Repeatable 3. Defined 4. Managed 5. Optimizing Open Web Application Security Project (OWASP) Web Application Security Consortium (WASC)

5.3.2. Auditing and logging

5.3.3. Risk analysis and mitigation

6. Legal, Regulations, Investigations & Compliance

6.1. Understand legal issues that pertain to information security internationally

6.1.1. Computer crime Any illegal action where data on a computer is accessed without permission. Identity theft Investment fraud Employment faud

6.1.2. Intellectual property Patent Strongest Form Trademark Associated with words, symbols, colors Copyright Trade secrets Must provide some benefit Reasonable protection must be applied Licensing Software categories Master Agreements End-User Licensing Agreements (EULA)

6.1.3. Import/Export

6.1.4. Trans-border data flow World Intellectual Property Organization (WIPO) Organization for Economic Cooperation and Development (OECD) Wassenaar Arrangement Council of Europe Convention of Cybercrime

6.1.5. Privacy Personally Identifiable Information (PII) Varies based on organization & country Payment Card Industry Data Security Standard (PCI DSS) US Health Insurance Portability and Accountability Act (HIPAA) Personal Information Protection and Electronic Documents Act (PIPEDA) Federal Information Security Management Act (FISMA) UK Data Protection Act (DPA) European Union (EU) Data Protection Directive

6.2. Understand professional ethics

6.2.1. (ISC)² Code of Professional Ethics CISSP Expectation Set the example Encourage adoption

6.2.2. Support organization's code of ethics RFC 1807 Internet Architecture Board (IAB)

6.2.3. Formal Ethic Theory Teleology (Utilitarian) Deontology (Obligation)

6.3. Understand and support investigations

6.3.1. Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope)

6.3.2. Incident handling and response Five Stages 1. Triage 2. Investigate 3. Containment 4. Analysis & Tracking 5. Recovery

6.3.3. Evidence collection and handling Aspects of Investigations Acquisition Authentication Analysis Suspect Identification Means, Opportunity, Motive (MOM) Locard's Principle of Exchange Criminals leave something behind Digital Forensics Indentification Collect & Preserve Examine Present Findings

6.3.4. Reporting and documenting

6.4. Understand forensic procedures

6.4.1. Media analysis

6.4.2. Network analysis

6.4.3. Software analysis

6.4.4. Hardware/embedded device analysis

6.4.5. Types of Evidence Direct Provided by witness Real Something physical Documentary Contracts & Legal Papers Demonstrative Expert Testimony Hearsay Second Hand Criteria Required Authentic Accurate Complete Convincing Admissible

6.5. Understand compliance requirements and procedures

6.5.1. Regulatory environment HIPAA SOX US Gramm-Leech-Bliley Financial Services Modernization Act (GLBA) BASEL II PCI DSS

6.5.2. Audits

6.5.3. Reporting

6.6. Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

6.7. Legal Systems

6.7.1. Common Components Legal Precedent Customs Societal Tradition Adversarial Litigation Reasonable Doubt Criminal Loss of freedom Tort Deals with Civil Matters Administrative Regulations & Control of power

6.7.2. Civil Relies on legislation & written rules Code-based Napoleonic

6.7.3. Religious

6.7.4. Customary

6.7.5. Mixed

6.7.6. Maritime

6.8. Legal Concepts

6.8.1. Jusrisdiction

6.8.2. Sovereignty

6.8.3. Liability

6.8.4. Negligence

6.8.5. Due Care

6.8.6. Due Diligence

6.8.7. Obligation

7. Information Security Governance & Risk Management

7.1. Understand and align security function to goals, mission and objectives of the organization

7.2. Understand and apply security governance

7.2.1. Organizational processes Acquisitions Divestitures Governance Committees

7.2.2. Security roles and responsibilities Data Owner Protection & Classification of data Data Custodian Implements & Maintains Controls

7.2.3. Legislative and regulatory compliance

7.2.4. Privacy requirements compliance

7.2.5. Control frameworks

7.2.6. Due care

7.2.7. Due diligence

7.3. Understand and apply concepts of confidentiality, integrity and availability

7.4. Develop and implement security policy

7.4.1. Security policies Strategic High Level Broad Long-range Corporate Policy Tactical Mid-level focus Impacts entire organization Standards Baselines Guidelines established Operational Affects day to day Processes Procedures Example ISO 27001 (Policy focus) ISO 27002 (Procedure focus)

7.4.2. Standards/baselines Set basis for common practice Can come from industry, orgs or Gov't.

7.4.3. Procedures Required minimum levels

7.4.4. Guidelines Recommendations

7.4.5. Documentation Step-by-step descriptions

7.5. Manage the information life cycle (e.g., classification, categorization, and ownership)

7.5.1. Private Confidential Private Sensitive Public

7.5.2. US Government Top Secret Secret Confidential Sensitive But Unclassified (SBU) Unclassified

7.6. Manage third-party governance

7.6.1. On-site assessment

7.6.2. Document Exchange & Review

7.6.3. Process & Policy Review

7.7. Understand and apply risk management concepts

7.7.1. Identify threats and vulnerabilities Cause Man-made Natural Time Speed of Onset Speed of Recession Destructiveness Physical Logical Logical Logical Logical Duration Permanent Temporary Permanent Permanent Permanent Extent Size/Scope Directness Direct (Fire) Indirect (Smoke)

7.7.2. Risk assessment/analysis Qualitative Non-Numerical (Low, Medium, High) Dependent of judgment, intuition & experience Techniques Quantitative Based on Numerical values Values Remain Constant Methods Techniques Hybrid Numerical only relevant within assessment

7.7.3. Risk Handling Mitigation/Reduction Take efffort to prevent loss Example: Buy Snow Tires Transfer Insurance Outsource Example: Take Taxi Avoid Example: Don't Drive Accept Example: Drive Anyway

7.7.4. Countermeasure selection

7.7.5. Tangible and intangible asset valuation

7.7.6. Publications NIST SP 800-30 Defines steps in risk assessment

7.8. Manage personnel security

7.8.1. Employment candidate screening Reference Checks Education Verification

7.8.2. Employment agreements and policies

7.8.3. Employee termination processes

7.8.4. Vendor, consultant and contractor controls

7.9. Develop and manage security education, training and awareness

7.10. Manage the Security Function

7.10.1. Budget

7.10.2. Metrics

7.10.3. Resources

7.10.4. Develop and implement information security strategies

7.10.5. Assess the completeness and effectiveness of the security program Awareness Training Education

8. Business Continuity & Disaster Recovery Planning

8.1. Understand business continuity requirements

8.1.1. Develop and document project scope and plan Obtain leadership buy-in

8.1.2. Standards BS 25999 BS 22301 ISO 27001 Annex A NIST SP 800-34

8.2. Conduct business impact analysis

8.2.1. Identify and prioritize critical business functions

8.2.2. Determine maximum tolerable downtime and other criteria Recovery Time Objective (RTO) Mean Time To Recovery (MTTR) Mean Time Between Failures (MTBF) Maximum Tolerable Period of Downtime (MTPD) Maximum Tolerable Downtime (MTD)

8.2.3. Assess exposure to outages Local Regional Global

8.2.4. Define recovery objectives Recovery Point Objectives (RPO) Backup Strategies Cold Hot Full Differential Incremental

8.3. Develop a recovery strategy

8.3.1. Implement a backup storage strategy Offline Storage Electronic Vaulting Tape Rotation

8.3.2. Recovery site strategies Dual Data Center Hot Warm Cold Mobile

8.4. Understand disaster recovery process

8.4.1. Response

8.4.2. Personnel

8.4.3. Communications

8.4.4. Assessment

8.4.5. Restoration

8.4.6. Provide training

8.5. Exercise, assess and maintain the plan

8.5.1. Version Control Update plans annually at a minimum

8.5.2. Distribution

8.5.3. Assessment Types Full Interruption Shutdown & Relocate Parallel Testing Recreation of Work Simulation Functional Test/War Game Walk Through Tabletop Desk Check Review Plan

9. Telecommunications & Network Security

9.1. Understand secure network architecture and design

9.1.1. OSI and TCP/IP models Open Systems Interconnect (OSI) Model Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical TCP/IP Application Transport Internetwork Network Access

9.1.2. IP networking VLANs Encapsulation Adds header information to payload De-encapsulation Removes header information from payload Routing Protocols RIP OSPF BGP

9.1.3. Implications of multi-layer protocols Supervisory Control And Data Acquisition (SCADA) Modbus Fieldbus Distributed Network Protocol (DNP)

9.2. Securing network components

9.2.1. Hardware Modems Switches Routers Wireless Access Points

9.2.2. Transmission media Wired Wireless Fiber

9.2.3. Network access control devices Firewalls Proxies

9.2.4. End-point security

9.3. Establish secure communication channels

9.3.1. Voice POTS PBX VoIP

9.3.2. Multimedia collaboration Remote Meetings Instant Messaging

9.3.3. Remote access Screen Scraping Virtual Desktops Telecommuting VPN Point to Point Tunnelling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP)

9.3.4. Data communications SSL TLS MultiProtocol Label Switching (MPLS) QoS Packet Switched Segmentation WAN T1, T3 E1, E3 OC1, OC12 Asynchronous Transfer Mode (ATM) Frame Relay xDSL Integrated Services Digital Network (ISDN) IPSec Authentication Header (AH) Encapsulating Security Payload (ESP) Security Association (SA)

9.4. Understand network attacks

9.4.1. DDoS

9.4.2. Spoofing

9.4.3. Host Based IDS (HIDS)

9.4.4. Network Based IDS (NIDS)

10. Physical (Environmental) Security

10.1. Understand site and facility design considerations

10.1.1. Crime Prevention Through Environmental Design (CPTED) Physical Layout Monitoring Hardening

10.1.2. Power Faults Blackout Brownout Sag Fault Spike Surge Noise Transient In-Rush

10.2. Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)

10.2.1. Fences Heights 1 Meter 2 Meters 2.5 Meters Mesh Size 1" 2" 3/8" Guage (Smaller = Thicker) 6 9 11 12

10.2.2. Bollards

10.2.3. Natural Trees Berms Gullies

10.2.4. Walls

10.2.5. Doors Fail Safe Fail Secure Tailgating/Piggybacking

10.2.6. CCTV 5 footcandles (fc) for proper crit areas 2 fc for normal operations

10.2.7. Windows Plate Tempered Acrylic Polycarbonate Laminate Embedded Wire

10.2.8. Lighting Fluorescent LED Mercury Vapor Sodium Vapor Quartz

10.3. Support the implementation and operation of internal security

10.3.1. Escort Requirements

10.3.2. Visitor Control

10.3.3. Keys & Locks Locks Key Combination Biometric Electronic Shear Point

10.4. Support the implementation and operation of facilities security (e.g., technology convergence)

10.4.1. Communications and server rooms

10.4.2. Restricted and work area security

10.4.3. Data center security Intrusion Detection Active Infrared Passive Infrared

10.4.4. Utilities and Heating, Ventilation and Air Conditioning (HVAC)considerations Volume Size of facility considerations Humidity Levels Equipment requirements Temperature Consistent Quality Dust & Contaminant Removal

10.4.5. Water issues Leakage Flooding

10.4.6. Fire Prevention Detection Suppression Requirements Oxygen Heat Fuel Oxygen Types Class A Class B Class C Class D Class K Combustible, Fluids, Excite, Me, K?

10.5. Support the protection and securing of equipment

10.6. Understand personnel privacy and safety (e.g., duress, travel, monitoring)

10.7. Goals

10.7.1. Deter Signs, Fences

10.7.2. Delay Locks

10.7.3. Detect Sensors, Cameras

10.7.4. Assess Weather Emergency Process

10.7.5. Respond Reaction Team

10.7.6. Recover Data Restoration

10.7.7. Life, Health & Safety take precedence.